Without further comment…
From the GEDmatch.com Facebook page:
Text of the above image:
“On the morning of July 19, GEDmatch experienced a security breach orchestrated through a sophisticated attack on one of our servers via an existing user account. We became aware of the situation a short time later and immediately took the site down. As a result of this breach, all user permissions were reset, making all profiles visible to all users. This was the case for approximately 3 hours. During this time, users who did not opt in for law enforcement matching were available for law enforcement matching and, conversely, all law enforcement profiles were made visible to GEDmatch users.
“This was the extent of the breach. No user data was downloaded or compromised.
“We have reported the unauthorized access to the appropriate authorities and continue to work toward identifying the individuals responsible for this violation.
“Today, as we continued to investigate the incident and work on a permanent solution to safeguard against threats of this nature, we discovered that the site was still vulnerable and made the decision to take the site down until such time that we can be absolutely sure that user data is protected against potential attacks. We are working with a cybersecurity firm to conduct a comprehensive forensic review and help us implement the best possible security measures.
“This is clearly disappointing for our company, as user privacy and data security are our top priorities. We apologize to our GEDmatch users and our law enforcement customers for the concern and frustration this situation has caused.
Thank you for your continued support of GEDmatch.
“If you have questions, please reach out to us at gedmatch@verogen.com. We will update you as soon as we have more information to share.”
The GEDmatch.com website remains offline as of this posting.
For the record, The Legal Genealogist does not recommend using GEDmatch. See “Withdrawing a recommendation.”
Cite/link to this post: Judy G. Russell, “GEDmatch security breach,” The Legal Genealogist (https://www.legalgenealogist.com/blog : posted 21 July 2020).
SOURCES
The self control of the Legal Genealogist is remarkable. 🙂
When Verogen bought Gedmatch (Dec 2019) I suspected it wouldn’t be long before a security excuse could be used to justify developing the site to its own purposes, despite all the assurances given to the previous developers and owners. Now on attempt to access you will see this: “The gedmatch site is down for maintenance. Currently no ETA for availability.” Very curious indeed.
Was this a deliberate back door , to ensure that Law Enforcement can now and in the Future access anyone ,s Data ,regardless of wether or nor the owner??? Has or has not voluntarily given permission to access same , according to both published statements , Law Enforcements or any other had complete ownership of all Data for “ 3Hours, I feel that the Basic Trust in this matter has been irrevocably damaged
There have been no further details disclosed.
John – There are many unanswered questions as of today, so we will have to wait and see what develops from this, and whether more info is disclosed, but here is an article that provides a bit of context today – https://www.buzzfeednews.com/article/peteraldhous/hackers-gedmatch-dna-privacy
It looks like emails obtained from GEDmatch were also likely used in a phishing scam to obtain login info at My Heritage.com. – I personally suspect it could be a long time before the GEDmatch site is back up, if Verogen takes the opportunity to rework the site and its security. We probably won’t know with any certainty who was behind the breach for quite some time, if at all. I am just curious to see how this will be handled.
After reading your post about withdrawing your recommendation on GEDmatch, I immediately deleted my account in May 2019. Thanks again!
Gedmatch is back online. I have deleted all my information from the site.
I’m sure sorry that site has had the history it’s had. I for one didn’t even get an email explaining the breach (others did, but although I have a current account, and a paid one, I never got an official “hi user here’s the deal” explanation).
I am a bit late to this party, but after the sale to Verogen, I, too, was wondering how long there would be an OOPS and data breach. I deleted my GEDMATCH account then, but really really REALLY miss the tools.
It’s pointless to say it out loud but I will vent my frustration anyway – I wish some clever people would start up a GEDMATCH alternative with some stricter privacy implementations and a policy like 23AndMe’s in place as well as FTDNA’s call for police transparency. Maybe omit the ability to search a match’s matches if necessary, to prevent LEOs from surreptitiously uploading data and searching matches of matches.
I have a software background, and I did briefly hack around with tools by Felix Chandrakumar. But even if I did develop the expertise to tweak his software and get things right, I definitely cannot afford the servers and hosting, and my time is limited.
Thank you Judy for reporting on this issue. You seem to be just about the only genetic genealogist voice in this regard. I am hooked on Forensic Files, and I love to watch videos on Youtube on how cold cases were solved with DNA. But I love the United States of America and the freedom principles on which it was founded. At the social media places I hang out on, I meet people from around the world who tell me if America sacrifices these freedoms there is no hope for he rest of the world. As much as I would like to see cold cases solved, there just aren’t the protections in place against abuses by law enforcement agencies. I don’t think it is worth sacrificing what remains of our 4th amendment rights.
I know darn well what I am wishing for isn’t going to happen. GEDMATCH always bounces back after each “incident.” People have 5 minute attention spans. The interest for a privacy-oriented alternative just isn’t there.
I am wondering if you are still not recommending GEDmatch?
Correct. I am not and do not foresee recommending them in the future.